Around the Storage Block
1745868 Members
4434 Online
108723 Solutions
New Article
StorageExperts

How LTO Ultrium tape supports GDPR compliant data processing systems

Learn how HPE StoreEver tape storage solutions bring a number of cybersecurity benefits to your business as you consider your General Data Protection Regulation (GDPR) compliance strategy.

When it comes to GDPR compliance, is your cybersecurity plan locked down?When it comes to GDPR compliance, is your cybersecurity plan locked down?Before I delve into a deeper discussion on how offline tape storage can enhance the security of data processing under GDPR, let me first cover some of the GDPR basics—and note that this blog accompanies a new technical paper on the security topic. 

What is the GDPR and what are its aims?

By now, I am sure most readers are familiar with the GDPR. In simple terms, it’s legislation developed to strengthen and unify data privacy protection for natural persons within the European Union. It can impact any business, regardless of location, that processes European individual personal data.

The primary objective of the GDPR is provide rules relating to the protection of natural persons with regard to the processing of personally identifiable information (PII). The key principles of GDPR in relation to the processing of personal data are: lawfulness, fairness, transparency, scope for purpose, data minimization, accuracy, integrity, confidentiality and accountability.

In essence, the GDPR means that safeguards for personal data will have to be designed into the very fabric of how personal data is captured, managed, used and stored during its lifecycle.  While this might appear challenging, for many organizations GDPR is actually an opportunity to gain better insight into where personal data is gathered, used, and stored in order to assess the robustness of how it is protected. 

Technology neutral

It’s worth reiterating that GDPR is explicitly “technology neutral”[i] so that the protection of individuals’ rights in respect of their personal data is not dependent on the methods used. The GDPR does not recommend or exclude any single storage technology as a means of compliance. Enterprises will probably need to evaluate their options and choose a mix of solutions depending on which aspect of compliance they are trying to address.  

HPE StoreEver tape offers some compelling benefits when it comes to GDPR compliance.

The benefits of encrypting personal data using LTO Ultrium tape

Encryption—a key feature of LTO technology—is one of only a few techniques specifically mentioned by the GDPR in the context of data protection and security[ii]. And when it comes to encryption, tape is a highly efficient and effective data protection solution for three main reasons:

  1. HPE LTO drives use the 256-bit Advanced Encryption Standard with Galois/Counter Mod of Operation (or AES256-GCM for short). AES256-GCM confirms to specific US and international standards published by a number of standards bodies.
  2. It’s the tape drive or tape library itself that is doing the major task of encrypting terabytes, or even petabytes, of data “on the fly” instead of data being passed through an expensive secondary appliance. So tape encryption is much cheaper and places less of a burden on your network.
  3. Because the tape device manages the encryption process, there is no performance degradation for compression or encryption[iii], which offers massive benefits in terms of data throughput (g. in comparison to software or appliances that create additional server workload).

How tape encryption can mitigate the impact of a data breach as defined by GDPR

Tape encryption may also help customers minimize risk and make it easier to comply with critical GDPR requirements, such as data security. 

Article 34[iv] of the GDPR states that in the event of a personal data breach, controllers are obliged to communicate the incident to the data subject “without delay.” But Article 34 also says that this communication will not be required if the personal data has been rendered unintelligible through the use of encryption. 

The ability of LTO Ultrium tape devices to encrypt large amounts of data quickly and easily may help reduce administrative workloads and mitigate the risk of GDPR non-compliance for enterprises processing personal data at scale.

In the worst-case scenario of personal data being lost or stolen, which would constitute a data breach under Article 4 (12), if the data was encrypted, then Article 83 says that due regard shall be given to “the degree of responsibility of the controller or processor taking into account technical and organizational measures implemented by them.  Encryption is specifically mentioned as one of the technologies that may mitigate the risk of data breach (e.g. “taking into account technical measures. . . implemented by them”) and by association, the consequential penalties. 

How offline tape storage enhances the security of data processing under GDPR

Another core benefit of tape technology relevant to security of processing considerations is the fact that tape is essentially an offline storage medium and can be placed in a controlled and secure facility to reduce the risk of data loss or disruption caused by cyberattack, malware or other hostile intent. 

It would be very difficult for a malicious individual to gain authenticated system access and then access to the tape library or vault where data was being stored.  And even if they managed this feat, they would still need the encryption keys to be able to read the data from the tapes. 

Deployment of tape, therefore, may greatly increase the resilience of an organization to recover personal data in the event of a physical or technical incident and lessen the potential risk of GDPR non-compliance.

The TCO benefit of tape

In its technical paper “Technology's role in data protection—the missing link in GDPR transformation”, PWC points out that there is likely to be a cost/benefit aspect to any assessment of the risks of GDPR non-compliance. In a recent study, analysts at ESG concluded that tape offered an 88% TCO advantage over disk and a 66% advantage over cloud for archiving data over a ten-year period. Since tape has very low TCO compared to disk and cloud, it can help companies manage risk more cost effectively. Businesses can protect large quantities of personal data securely and relatively inexpensively, which might help mitigate storage costs and accelerate progress towards GDPR compliance by freeing resources to be deployed elsewhere.  

Finally, it’s important to remember that the GDPR relates to personal or PII data. The digital data sphere, which IDC forecast will be 163 ZB (163 trillion GB) by 2025, will contain vast quantities of commercially valuable, non-personal data for which tape undoubtedly remains the pre-eminent platform for long term retention because of the advantages of low cost, security and scalability. 

Building the case for the role tape storage and GDPR play in your cybersecurity plan

There may not be a better business case for your organization to fortify your cybersecurity and risk management portfolios than the GDPR. The need to meet the higher data protection standards of the GDPR will offer organizations the opportunity to streamline IT, enhance server infrastructure security, and improve data management.

HPE is focused on the new world of threats and how to best protect against them. HPE StoreEver tape storage solutions can assist your organization with GDPR compliance.

Read the new technical paper: How LTO Ultrium tape can support a GDPR compliant data processing system  (Registration is required to download.)

[Note: Please be aware that this article is not intended, and should not be used, as legal advice about the content, interpretation or application of the GDPR.


Meet Around the Storage Block blogger Andrew Dodd, HPE Storage Media.Andrew Dodd_HPE.jpeg

 

 

[i] Recital 15 - https://gdpr-info.eu/recitals/no-15/

[ii] Recital 83 - https://gdpr-info.eu/recitals/no-83/ “In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.”

[iii] A HPE LTO Encryption Technology White Paper is available here.

[iv] Article 34 - https://gdpr-info.eu/art-34-gdpr/

0 Kudos
About the Author

StorageExperts

Our team of Hewlett Packard Enterprise storage experts helps you to dive deep into relevant infrastructure topics.